Editing the ogc-sp.xml File With Certificates and Properties

To edit the ogc-sp.xml file with certificates and properties:

  1. Edit the ogc-sp.xml file.

    The following is a sample ogc-sp.xml file for reference.

    Note that there are two long, multi-line strings in the <ds:X509Certificate> tags. These are the certificates that will be overwritten with the site-specific certificates that were created in Generating Certificates. Shortened versions of the certificates are shown in this sample for demonstration purposes. The actual certificates will be much larger.

    <?xml version="1.0" encoding="UTF-8"?>
    <md:EntityDescriptor entityID="test.ibi.com" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
    <md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
            <md:Extensions>
                <idpdisco:DiscoveryResponse xmlns:idpdisco="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="http://localhost:8080/spring-security-saml/login/auth/alias/localhost?disco=true"/>
            </md:Extensions>
            <md:KeyDescriptor use="signing">
                <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                    <ds:X509Data>
                        <ds:X509Certificate>
    MIIDoTCCAomgAwIBAgIEf6nJDTANBgkqhkiG9w0BAQsFADCBgDELMAkGA1UEBhMCVVMxETAPBgNV
    Ykym9tOG+m21eC5LgRX+qyfB+XE7OP24N/ccKYuJkcQdJKnJCFxgdC3xl45EfaEFh5bQ0UOZzzSM
    cyNApOW+qssSOxRJyWbqAEOx3SxE
    </ds:X509Certificate>
                    </ds:X509Data>
                </ds:KeyInfo>
            </md:KeyDescriptor>
            <md:KeyDescriptor use="encryption">
                <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                    <ds:X509Data>
                        <ds:X509Certificate>
    MIIDpzCCAo+gAwIBAgIEIuaEgzANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCVVMxETAPBgNV
    0MaUTCLU1X94XcQJQ8zskBLSSw2jrf9rvGzBMHJrTphJGl0RluIpJWu0fWFhNRRxq61FwZzRl53j
    5pHGZ2yxcPWefW05qqjX/ZZWkx8rxH/YnTvA
    	     </ds:X509Certificate>
                    </ds:X509Data>
                </ds:KeyInfo>
            </md:KeyDescriptor>
            <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://iwserv153.ibi.com:8080/ogc/saml/SingleLogout/alias/test.ibi.com"/>
            <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://iwserv153.ibi.com:8080/ogc/saml/SingleLogout/alias/test.ibi.com"/>
            <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://iwserv153.ibi.com:8080/ogc/saml/logout/SingleLogout/test.ibi.com"/>
            <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
            <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
     <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
            <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
            <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat>
            <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://iwserv153.ibi.com:8080/ogc/saml/SSO/alias/test.ibi.com" index="0" isDefault="true"/>
            <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="http://iwserv153.ibi.com:8080/ogc/saml/SSO/alias/test.ibi.com" index="1" isDefault="false"/>
        </md:SPSSODescriptor>
    </md:EntityDescriptor>
  2. Navigate to the following directory:
    \omnigen\omnigendata\sso
  3. Open the wso2sign.crt file.

    The long multi-line string between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- is the actual certificate . Copy and paste it into the ogc-sp.xml file between the <ds:X509Certificate> tags, which are below the <md:KeyDescriptor use="signing"> tag. When pasting, ensure that you overwrite the entire existing string that is currently there.

  4. Open the wso2encr.crt file from the \sso directory.

    The long multi-line string between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- is the actual certificate . Copy and paste it into the ogc-sp.xml file between the <ds:X509Certificate> tags, which are below the <md:KeyDescriptor use="encryption"> tag. When pasting, ensure that you overwrite the entire existing string that is currently there.

  5. Still editing the ogc-sp.xml file, edit the EntityID field, which is located at the top of the file.

    Set the value to the value used in the sso.properties file. For example:

    <md:EntityDescriptor entityID="test.ibi.com"
  6. Edit the five URLs which refer to the EntityID field.

    There are three SingleLogoutService tags and two AssertionConsumerService tags.

  7. Change all five of the default test.ibi.com strings to your EntityID value specified in the sso.properties file. For example:
    <md:EntityDescriptor entityID="test.ibi.com"

    The five strings are located at the bottom of the ogc-sp.xml file as follows:

    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://iwserv153.ibi.com:8080/ogc/saml/SingleLogout/alias/test.ibi.com"/>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://iwserv153.ibi.com:8080/ogc/saml/SingleLogout/alias/test.ibi.com"/>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://iwserv153.ibi.com:8080/ogc/saml/logout/SingleLogout/test.ibi.com"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://iwserv153.ibi.com:8080/ogc/saml/SSO/alias/test.ibi.com" index="0" isDefault="true"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="http://iwserv153.ibi.com:8080/ogc/saml/SSO/alias/test.ibi.com" index="1" isDefault="false"/>
  8. In these same URL strings, change the five host name instances (for example, iwserv153.ibi.com) to your actual OGC host name that is being used.
  9. Save the ogc-sp.xml file and give it to the Identity Provider (IdP) administrator.